Recent Posts

Blocking specific domains

Multiple times in the last few days people have asked me the question “What do you think about blocking domains owned by anti-spam companies as a way to prevent blocklisting?” The question is not necessarily a bad one, and there are cases where blocking mail to specific domains is a good decision. Often, though, if a spam prevention program consists solely of avoiding sending email to people that may be able to cause delivery pain, there are deeper problems that should be addressed.
When I am asked about doing so, my first question is always “Why do you want to do this? What are you trying to accomplish?” Typically, the person asking the question will tell me they are attempting to prevent employees of anti-spam companies from getting mail that they will then report to the operations team as spam.
First, employees don’t always have the ability to get a specific sender blocked just because the sender spammed them. It’s not necessarily something senders should rely on, but often there are policies in place to prevent an employee from using the company to punish a “personal” spammer. And even when someone who can add a sender to their global blocking list receives spam, the listing still must comply with the corporate policies. In other words, just mailing someone “powerful” isn’t enough to result in a block. It may bring the sender to the attention of the company, but unless over all stats and show that the sender is a problem, a listing won’t happen.
Second, employees at companies do sometimes opt in to mail from commercial senders. In fact, I had one discussion with a anti-spam company about a client who was seeing intermittent delivery problems. I sent in the information about the client and the employee handling the case said “Oh, them! I signed up for mail from them. Yeah, they’re a good bunch and their stats are reasonable, they shouldn’t have any more problems.” And they didn’t.
Third, many of us who work in email, particularly those of us who have been around for a long time on the anti-spam side, have our own domains and use multiple email addresses. Just removing clearly identifiable anti-spam domains does not mean that a sender will never spam someone powerful or important. It is impossible to clean off all those email addresses from lists. We have many, many addresses, including ones at ISPs.
One extreme example is AOL.com. Every AOL employee has an AOL.com address and they are indistinguishable from the addresses used by AOL.com customers. But, if a sender spams an employee with access to the anti-spam system, and the stats are bad enough to justify a block, then that sender may see poor AOL delivery. But senders aren’t really going to block mail to all AOL.com addresses, just to avoid that scenario.
When is blocking emails to domains or a set of email addresses a good idea?

Spam that's not spam

Steve and I were talking this evening and I mentioned to him that I got “a lot of spam that wasn’t really spam. Know what I mean?”
He did. But if I tell that to you, what does it mean to you?
More on this in a couple days, but I’m onsite at a client’s for the next few days so it may take me a plane ride home to put all the thoughts down.

You might be a spammer if…

… the best thing you have to say about your email practices is “They’re CAN SPAM compliant.”
… text to .gif is a vital part of your email generation process
… you have to mail from multiple ESPs in order to get good delivery
Please contribute your own in the comments.
I’d also like to thank Al for guest posting 2 days this week. Thanks, Al!

E-Postage Just Won't Die

E-Postage is back! Wired covers a report from New Scientist. Here’s what they have to say: “Yahoo’s researchers want you to voluntarily slap a one-cent stamp on your outgoing e-mails, with proceeds going to charity, in a bid to cut down on spam. Can doing good really do away with spam, which consumes 33 terawatt hours of electricity every year, not to mention way too much of our time?”
Alex Rubin at Return Path says hold up, wait a minute. He writes: “Our contacts at Yahoo! tell us this idea is purely in the research realm, and is not scheduled for development in Yahoo! Mail. In other words: it isn’t even vaporware and isn’t likely to be a part of the Yahoo! mail system anytime soon.” He goes on to say (I’m paraphrasing) that oops, Yahoo didn’t really intend for this research to become public.
So, apparently, there are no plans for Yahoo to roll out E-Postage today, tomorrow or next week. Nothing to see here, beyond a simple web site and some thoughts from a Yahoo researcher. Some individual’s hopeful vision for the future, not a corporate announcement of an upcoming product.
E-Postage has always been a neat idea, I’ve thought. A neat idea beset by insurmountable problems. First, end users don’t want to pay for the email messages they send, they want all you can eat. With years of webmail providers offering free email access, you’ll have a heck of a time convincing somebody’s grandmother that they have to pony up a nickel to be able to email the grandkids.
Then, answer me this: Who’s going to handle the economics on the back-end? And any time you have a computer storing a resource (like, say, account information for that tiny little bit of money you’ll need to be able to send me an email), that information can be hacked, exploited, stolen. You think spammers are actually going to pony up? Why would they? They’ll just hack into millions of exploitable computers, stealing five cents from everyone along the way, and gleefully shoveling millions of spams into millions of inboxes.
This concept of E-Postage, either paying money to send email, or spending “computational power” to send email, has been kicking around for years. Periodically, some researcher comes up with the idea anew, and suggests that we all immediately adopt their sure fire plan to solve the world’s spam problem, immediately, pennies at a time. These ideas never seem to go anywhere. And that will never change until somebody can actually convince most of the world to adopt their proposed scheme. Will it ever happen? Never say never, but I have no plans to rush out and buy e-Stamps any time soon.
— Al Iverson

Beware: Phishing and Spam in Social Networks

Trend Micro warns us today about how spam and phishing can hit you even in the closed ecosystem of a social networking system such as Facebook. Malware abounds. And in the social network arena, just like anywhere else, “using your account to send spam” is a common thing for the bad guys to want to do.
In Rik Ferguson’s investigation (which I read about on CNet News), he came across a link to a URL that asked for his Facebook credentials, supposedly necessary to allow installation of a specific Facebook application. Once the credentials were handed over, the app immediately spammed all of his Facebook friends, sending them a bogus notification, attempting to draw them into visiting the phishing/malware URL, with (one assumes) the hope of spreading the infection even wider.
He’s a researcher for Trend Micro, so he knows what he’s doing. But for the rest of us, this highlights how necessary it is to be careful with who you give your usernames and passwords to. In my opinion, it’s never safe to take your username and password from one site and hand it over to another site. Some social networking make the problem even worse by blurring the lines between safe and unsafe by asking for usernames and passwords to third party accounts, but you just can never know with 100% certainty which sites are legitimate and which ones aren’t.
— Al Iverson

White House spamming: update

There’s quite a discussion about the White House spam going on over at Bronto Blog.
Ken Magill wrote about the controversy today in Magilla Marketing. Anyone who’s followed his newsletter for a while knows he’s been reporting on politicians buying and sharing lists for the last few months. He has some data that may help clarify where the addresses aren’t coming from.

Yahoo and Verizon

Mickey at Spamtacular has information about Verizon’s email system that will have relevance for anyone working in delivery.

White House sending spam?

There has been some press about political spam recently. People are receiving email from the White House that they have not opted into. At a recent press conference a reporter challenged the press secretary to defend the practice.
Chris Wheeler over at Bronto blog points out that CAN SPAM doesn’t apply as this is political mail, and CAN SPAM only covers commercial email. He also notes that most of the mail came from “forward to a friend” links which the sender has little to no control over.
Gawker has a post up “Everything you need to know about Obama’s Spam-Gate.”
There are a lot of issues here. Chris asks a number of questions on his blog, that I encourage people to think about.

Failed delivery of permission based email

A few weeks ago, ReturnPath published a study showing that 20% of permission based email was blocked. I previously discussed the definition of permission based email and that not all the mail described as permission based is actually sent with the permission of the recipient. However, I only consider this a small fraction of the mail RP is measuring, somewhere in the 3 – 5% range. What happens with the other 17 – 15% of that mail? Why is it being blocked?
There are 3 primary things I see that cause asked for and wanted email to be blocked.

Maine prohibits marketing to minors

Last week, the state of Maine passed a law prohibiting marketing using personal information to minors without verifiable consent from a parent or guardian. From what I understand, this law started out as a prohibition on using health information for marketing and expanded to any personal information.
The law defines personal information as: